A LexisNexis Blog

Proposed Identity Theft “Red Flag” Rules

On February 28th, the CFTC and SEC published for public comment proposed rules and guidelines aimed at protecting investors from identity theft by ensuring that broker-dealers, mutual funds, futures commission merchants, swap dealers, and other regulated entities create programs to detect and respond appropriately to red flags. Section 1088 of the Dodd-Frank Act transferred authority over certain parts of the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”) to the SEC and CFTC for entities they regulate. The proposed rules are substantially similar to rules adopted in 2007 by the FTC and other federal financial regulatory agencies. The Commissions’ proposed rules and guidelines would not contain requirements not already in the FTC and other federal regulators’ rules, nor would they expand the scope of those rules to include new entities that are not already subject to the existing rules.

The SEC’s proposed scope for the rules includes brokers-dealers, investment companies, investment advisers, and other entities registered or required to register under the Securities Exchange Act of 1934. Nationally recognized statistical ratings organizations, self-regulatory organizations, and municipal advisers and municipal securities dealers would not be subject to the rules because they are unlikely to qualify as “financial institutions” or “creditors” under the FCRA. The proposed scope also would not include entities that are not themselves registered with the SEC even if they register securities under the Securities Act of 1933 or the Exchange Act, or report information under the Investment Advisers Act of 1940.

Because some institutions may engage only in transactions with businesses where the risk of identity theft is minimal, the proposed rules would allow an institution to conclude that it does not need to develop and implement a program, or that it may develop and implement a program that applies only to a limited range of its activities. Under the proposed rules, a financial institution or creditor that initially determines that it does not need to have a program would be required to periodically reassess whether it must develop and implement a program in light of changes in the accounts that it offers, or maintains, and the various other factors set forth in the proposed rules.

The proposed rules are also designed to be scalable, permitting programs that take into account the operations of smaller institutions. Regardless of size, each program must contain reasonable policies and procedures to: (1) identify relevant red flags; (2) detect red flags; (3) respond to red flags; and (4) update the program. These are the same elements already required by other federal agencies.

Each program must also be approved by the institution’s board or board committee; involve the board, a board committee, or senior management in the program’s development, implementation, and oversight; provide staff training; and exercise appropriate oversight of service provider arrangements.